The above example uses the id for the "rmfile" command. This command's code contains a vulnerability which can be leveraged for remote code execution. The hex-rays output of the command's code can be seen below.

In the above for case "1", a buffer is allocated and then a call is made to the "removeFileFromDatabase" method. The hex-rays output of which can be found below.

The "removeFileFromDatabase" then attempts to sanitize the user input with a function called "StringConvert2SystemCmdFilename", this function filters "0x20 ! $ & 0x39 , ; = [ ] ^ ` { } %" but does not filter pipes or backslashes. This allows us to craft a payload utilizing pipes for command injection and tabs (\t) instead of spaces for field separation.

Vulnerability Summary

Transcoding service runs on multiple QNAP NAS's

Listens on TCP port 9251

Service runs as root

Accepts commands to transcode files

Command "rmfile" is vulnerable to a command injection

Sanitization routine filters most unsafe characters

Except vertical pipe!

Spaces are filtered

Use tabs between arguments

Filters: 0x20 ! $ & 0x39 , ; = [ ] ^ ` { } %

Doesn't filter | or \

POC

Sending a message to the transcoding server with command id 0x01, starting/ending with a pipe, and a tab delimited command results in RCE as root